What I Learned at the RSA Conference

Random Observations from the RSA Conference

I went to my first RSA Security conference this week and thought I’d share the experience. This conference started back when RSA (the secure token people) was an independent company. Since that time, they’ve been acquired by Dell. But the conference has taken on a life of its own and continues even after the acquisition of RSA. The RSA Conference is the equivalent of the Consumer Electronics Show for the security business.

I’ll talk more about the trade show, but first I want to share some things I learned at an event put on by one of CGNET’s security partners, IOActive.

IOActive (read about them here) chose not to participate in RSA via the trade show floor. Instead, they rented a meeting space down the street from Moscone Center and invited customers and partners to meet them there. They had a great name for their setup: IOAsis. As in, come down and take a break from the madness of RSA.

Security Points to Ponder

IOActive had a few different small-group sessions on different security topics. Here are some of my “takeaway’s” from those sessions.

Organizations need to think about resilience and robustness vs. just preventing attacks. How can you create “firewalls” within your systems, so that a successful intrusion only exposes a limited amount of information? How can you build in resilience, so that (as with disaster recovery) the organization can return to a functioning state while the effects of an attack are dealt with?

Hacking tools are increasing in sophistication and availability. This development means that attacks of increasing sophistication are being carried out by attackers lower in the “food chain”.

Unsurprisingly, getting the fundamentals of cyber defense right is an important step to accomplish. You have to keep your servers and devices patched. You have to remove services that are exposed to the Internet if they’re no longer needed. You have to train users on how to recognize phishing attempts.

There was discussion of cyber defense as a business decision. What’s the cost to defend against different kinds of attacks? What’s the benefit? The people responsible for cyber security must be engaged with the business. That’s the only way to judge how much security is enough.

Organizations often overlook application security. The most valuable intellectual property for the organization is often in the ERP system. But how secure is that system? And remember, it’s designed to serve up data easily and at scale!

One panelist talked about the “security contract.” If process A is sending a message on to process B without validating the message contents first, then maybe process B shouldn’t consider the contents of the message to be trustworthy.

The “zero trust model” got some air time. (Here’s one resource on this model). The current paradigm is to focus all your efforts on keeping bad actors out and fully trusting those that are “in” the system. In the zero trust model, you don’t trust anyone, at least not entirely.

How can you use analytics about what is happening during an attack to proactively shut down the downstream components that you know are he going to be attacked next?

Running the Trade Show Floor

I spent about an hour touring the show floor; that was plenty of time for me! I was surprised that I knew (or knew of) most of the vendors that were exhibiting. If there were any common threads among exhibitors, I would offer these two:

GDPR (General Data Protection Regulation; see here for more information) was a common “call to action” for vendors trying to get customers to invest in security. Memories of “Y2K” floated through my head.

Analytics is the big thing. Graphs, lines, arrows. There’s a tremendous amount of data generated by some of the security platforms, so having a way to digest and analyze it makes a big difference in whether you go home on time each day or not.

I also thought about the customer buying process today and how that has affected these kinds of trade shows. But that’s another topic for a different day.

And I can confirm this. Despite the “digital transformation” occurring everywhere, trade show exhibitors will always have something to give away to anyone willing to get their badge scanned into a lead capture system.

If nothing else, it was a beautiful day in San Francisco. And that made it all worthwhile.